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ABSTRACT 



A system and method is provided for managing security on 
a server that receives code for execution. A security manager 
resides on a server and determines whether to permit the 
execution of a servlet based on a characteristic of the servlel. 
The security manager makes this determination by perform- 
ing a number of security checks implemented as a security 
policy that is configured based on the servlet' s network 
source. 

10 Claims, 4 Drawing Sheets 
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SYSTEM AND METHOD FOR SECURING A 
PROGRAM'S EXECUTION IN A NETWORK 
ENVIRONMENT 

This is a request under 37 CFR 1 .60 for filing a Division 
of application No. 08/652,703, filed May 30, 1996. 

BACKGROUND OF THE INVENTION 

This application relates to the provisioa of services in a 
client-server context. More particularly, this application 
relates to securing inter-server services on behalf of a client 
over a network. 

FIG. 1 illustrates a typical client-server environment 
within the World Wide Web. As one of ordinary skill in the 
art will readily appreciate, a user's accessing a web page on 
the World Wide Web involves the cooperation of (at least) 
two pieces of software: the web browser 110, typically 
directly under the user's control as software on the work- 
station 150, and the server 120 for the web page. Responding 
in a manner predetermined by the author of the web page to 
transactions initiated by the browser 110, the server 120 
typically resides on a separate processor 140. 

FIG. 2 sketches a processor 200 such as a workstation 150 
or server 120. Such a processor includes a CPU 210 to which 
a memory 220 and I/O facilities 230 connect by a bus 240. 
The processor 200 connects to an external communications 
system 250 which is, for example, a network or modem 
communications link and memory 220 includes programs 
260. Programs 260 may include one or more programs. 
Although programs 260 are depicted as being stored in 
memory 220, one skilled in the art will appreciate that all or 
part of programs 260 may be stored on or read from other 
computer readable media, such as secondary storage devices 
270, like hard disks, floppy disks and CD-Rom, a digital 
signal received from a network such as the Internet, or other 
forms of RAM or ROM, either currently known or later 
developed. 

As the HyperText Markup Language (HTML) is the 
preferred language for authoring web pages, the description 
below is in the terms of HTML. These terms are explained 
in, for example, I. S. Graham, The HTML Sourcebook^ 1996 
(John Wiley & Sons, Inc., 2d Edition). Graham is incorpo- 
rated herein by reference to the extent necessary to explain 
these terms. However, Graham is not prior art. 

In addition to text and static images for display on the 
user's workstation 150 via the user's browser 110, a web 
page can also include an applet. An applet is a program 
included in an HTML page, whose execution a xiser can 
observe via a browser 110 enabled to recognize, download 
and execute the applet and to display the results of the 
applet's execution. The HotJava® browser, available from 
the assignee of the instant invention, is the preferred browser 
110, and the Java® environment, also available from the 
assignee of the instant invention, is the preferred environ- 
ment for encoding and executing applets. 

The Java® environment is described in, for example, 
Java® Unleashed (Sams.nct Publishing, 1996). Java® 
Unleashed is incorporated herein by reference to the extent 
necessary to explain the Java® environment. However, 
Java® Unleashed is not prior art. 

An applet typically is a small program residing on a server 
120. Some HTML document refers to the applet using the 
<applel> tag. When a browser downloads the HTML docu- 
ment and recognizes the <appl6t> tag, it also downloads the 
applet identified by the applet tag and executes thai applet. 

Written in a general purpose language such as Java®,^ n 
applet is in this way unrestrained in its functionality. It can 
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p erform any function which a program written in anv oth er 
gpnpff^i piirpnci* iftngiiflQ^ (nrh ^ P1 1) can accn m. 
plish. The methodologies of applets, however, are con- 
stramcd by the Java® environment in order to minimize the 
s security risks an applet presents to the workstation 150. Tbal 
is to say, an applet is res mYlfd "p'^'V^* withm a hmmH^H 
"s andbox ." 

While a_ security policy m ^y ^»ffic e for the transfer of 
code from a server to a client, the transfer of code for 
10 e xecution from one server m another server presents greate r 
^:Pfyj-|lY ric^^ anH rpqiiirfY^ a morc stdnRent sccurity polic y. 
A ccordingly, there is a need for a managing secunty on a 
sc iyer which receives code tor execution . 

15 SUMMARY OF THE INVENTION 

Herein is disclosed, in a network environment, a security 
manager residing on a server and deciding whether to permit 
the execution of a servlet based on a characteristic of the 
servlet. 

20 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 illustrates a typical client-server environment 
within the World Wide Web. 
25 FIG. 2 sketches a processor such as a workstation or 
server. 

FIGS. 3, 4 are flowchart illustrating the flow of command 
according to aa embodiment of the invention. 

30 DESCRIPTION OF THE PREFERRED 

EMBODIMENT 

U.S. patent application Ser. No. 08/657,712 (filed May 30, 
1996, entitled, "Method and System for Facilitating 
Servlets," naming as inventors Pavini P. Diwanji et al., and 
assigned as well to the assignee of the instant patent 
application) describes a servlet. U.S. patent application Ser. 
No. 08/657,712 is incorporated herein by reference. Loosely 
described here, a servlet is application code transferred from 
a first server to a second for execution on the second server. 

40 

Because servers are typically accessed orders of magni- 
tude more frequently than a client workstation, maintaining 
the integrity of the server executing a servlet becomes even 
more critical than maintaining the integrity of the client 
executing an applet. Corruption on a server can spread quite 
rapidly to any number of clients. Should corruption pass 
among servers, the rate of corruption of clients can increase 
exponentially. T^e sandbox of the servlet is appropri ately 
restricted. 

5Q Acc ordingly, a server receiving a servlet over a ne twork 
re Ueg^ on the security aspects .instantiated in the Java ® 
compiler, verifier and class loader as described gen erally 
b elow. 

In the HotJava® browser mentioned above, the bound- 
SS aries of the sandbox for an applet are as follows: An applet 
may not read, write or inquire into the status of any 
filesystem on the client workstation 150. An applet from an 
server, say, 1206 running on the workstation 150 can not 
access any other processor 120fl, 120;i, 150 over the network 
60 160 other than its server processor I20b. An applet cannot 
load a library from either its server processor 120 or the 
workstation 150. An applet cannot initiate the execution of 
a process. An applet cannot examine the properties of any 
resource on the workstation 150. 
65 To assist in the enforcement of the boundaries of the 
sandbox of an applet, the assignee of the instant invention 
has developed a suite of protocols for the development and 
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TABLE I 



How to sign and verify JAR files 

Benefit: signature is detached bom .class file; and if scivlet has only one 
.class file, then signed JAR file is just that .class Hie, plus the necessary 
signature info 

Scenario for signing JAR files: 

scrvlel == list of files 
To sign a servlet, use standalone Java program to 

1. specify list of flies 

2. specify method (CA-based or PGP-sly le) 



10 



25 



execution of applets: the Java® development environment 
(or Java® Development Kit). The development environment 
includes a number of packages ("lang/* "io," "net," "util/' 
"awt" and "applet"). To the extent an applet needs language, 
I/O, network, utility, windowing or application support, the 
application must resort to the methods available through the 
classes provided by one or some of the packages of the 
Java® development environment. 

Of course, not all classes and methods can be anticipated. 
As such, the Java® development environment permits the 
construction of additional classes, methods and, ultimately, 
applets. However, the Java® development environment 
includes a compiler which performs a number of checks to 
ensure that the applet docs not contain any security viola- 
tions. For example, the Java® compiler does not permit 
pointers directly to memory. It strictly checks types. Access 
to an object must be through its public interface. The Java® 
compiler leaves memory management for the Java® 
interpreter, and the latter provides the former with no 
information on how it accompHshcs the memory manage- 
ment. 

A Java® verifier checks the code of an applet to ensure 
that the security of the Java® development system is intact. 
The verifier verifies the classfile, the type system checking, 
the bylecode and runtime type and access checking. 

C\ After the verifier passes the applet code, the Java® class 
2, t '^'^ ^Zloader checks the applet code to enforce namespa ces based 
Nan the network source. 

Within each method of a package, the code uses the 30 
security manager to provide a system resource access con- 
trol mechanism. Any time an applet needs to access a 
particular resource, it uses a particular pre-defined method 
which provides checking as to whether the applet can access 
that particular resource. 35 

In addition to the security aspects instantiated in the 
Java® compiler, verifier and class loader as described above, 
the receiving server invokes an improved security manager 
according to the invention. In addition to the security checks 
described above, the server's security manager identifies the 
network source of the servlet and implements a security 
.policy based on the servlet 's network source. 

For example, the server's security manager may allow (or 
r disallow) the execution of any servlet from a predetermined 
list of network sources. Hn^nrte emj ^ndini e^U the authe nti- 
c ation of the source of a servlet, particularly by digit al 
s ig^nature^ is the responsihilitv of the class loa der.) Servlets 
from trusted servers identified by their digital signatures 
^ wmilH he executed. Alternatively, the se rver's security ma n- 

&ft^O a ger may allow (or disallow^ the P Yf^ m i t in n o f n nv u nsigned 

^ s ervlet . As yet another alternative, the server's security 

.IV naanagef may allow (or disallow) the execution of any 

T' signed servlet. 

(Another embodiment of the invention, including Java® 55 
archives (JARs) is described in Table L 



TABLE I-continued 



3. create JAR file, create signature, write signed JAR file 
Hie sun. serve i.u til. jar class library includes support for doing the signing 
(as well as support for packaging up the files into a JAR file.) 

1. Jar j > crcateJarFile (list of files) 

2. h » j-hash (algorithm) 
t i^Si en " h. eng vyyt faiynnfhml \ 

4. ' SignedJARhilc = createJarFile (j, sig, cert, alg) 
Verifying signed servlet, within server classloadcr 

1. If (SignedJarFUe) 

1. extract JarFilc, sign, cert, alq from SigncdJarFile 

2. c = JarFile.hash (algorithm) /• compute hash •/ 

3. pk = ccrl.getPublicKey Q 

4. h = sig.deciypt (algDiilhm) 

5. if (c " h) then /• signature is valid V 

is sig.ID on my list of trusted signatures? 

if yes, load scnict 
A signed JAR fUe has these four fields. 
The prototype uses PGP or X509 based certificate authorities. 
SigncdJarFile format 

* [ Jar file | .class file ] 

• signature 

* algorithm 

• { XS09 certificate | PGP public key] 



More generally, the server's security manager may decide 
whether to execute a servlet based on some other charac- 
teristic of the applet. 

For such servlets as the server allows to execute, the 
server must also decide what server resources the servlet 

TABLE n 
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socket (host. 




read Cfilename'l 


port) 




strings 


access 


DNS name 




immutable 


authorization 


resolution 


server 120a 


Yes 


Yes 


Yes 


server 120b 


No 


No 


No 


server 120n 


Yes 


No 


Yes 



may access. The Java® environment provides a default level 
of service. However, the server can decide to enlarge or even 
shrink the default set of resources to which the servlet has 
access. 

In one embodiment of the invention, the server maintains 
a configurable security policy on a group or pcr-server basis 
(as described above). The server maintains a list of config- 
urable resources, a list of the configurable accesses possible 
for each resource and a cross-list of servers (or groups of 
servers) and the accesses they may have. Table II illustrates 
50 one such configurable seciu-ity policy wherein server 120fl is 
not trusted at all and all security checks are applied to any 
servlet having server 120fl as its source, while server 120 is 
sufficiently trusted not to need access authorization for 
readQ's. Servlets from server l2Qb are completely trusted. 

In the configurable policy embodiments, the namespace 
of the configurable embodiments supply the methods for the 
security manager's checks, typically by creating a subclass 
of the Java® environment's security manager. 

In one embodiment, the security manager includes 
60 means for notifying the system administrator of the serve 
that a servlet desires a resource from which it is currentl 
excluded. O n notification. the system administrator m av 
re configure the f^ecuHty policy to alln\y th e servlet th 
de sired acce ss. (Whether some class of servlets may cause 
65 notification of the administrator can also be configurable.) 
In another embodiment, signed servlets are complet^, 
trusted (as server 120b in Table II) and have full access to 
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the server. Unsigned servers, however, are blocked from 
executing HTTP requests and responses and inter-servlet 
communications. Unsigned servlets do not have access to 
the server's file system, properties files, dynamic configu- 
ration files, or memory management facilities. 5 

FIG. 3 is a flowchart illustrating the flow of command 
according to an embodiment of the invention. 

Of course, the client may likewise decide whether to 
execute application code (applet) loaded over the network 
based on the source or other characteristic of the applet. lO 

Of course, the program text for such software as is herein 
disclosed can exist in its static form on a magnetic, optical 
or other disk, on magnetic tape or other medium requiring 
media movement for storage and/or retrieval, in ROM, in 
RAM, or in another data storage medium. That data storage 15 
medium may be integral to or insertable into a computer 
system. 

What is claimed is: 

1. A computer-implemented method for signing a first 
archive file, said method comprising: 20 

selecting one of a plurality of security algorithms for use 

with said first archive file; 
computing a signature for said first archive file according 

to said selected security algorithm; and 

25 

creating a new archive file comprising said first archive 
file, said selected security algorithm and said signature. 

2. The method of claim 1, wherein said first archive file 
comprises a single file. 

3. The method of claim 1, wherein said selecting com- 
prises selecting a certificate -based algorithm for use with 
said first archive file. 

4. A computer-readable medium containing instmctions 
for performing a method for causing a computer system to 
sign a first archive file, said method comprising: ^5 

selecting one of a plurality of security algorithms for use 

with said first archive file; 
computing a signature for said first archive file according 

to said selected security algorithm; and 
creating a new archive file comprising said first archive 

file, said selected security algorithm and said signature. 

5. A computer- implemented method for validating a 
signed archive file comprising an included archive file, an 
associated security algorithm and a signature, said method 
comprising: '^5 

extracting said included archive file, said associated secu- 
rity algorithm, and said signature from said signed 
archive file, wherein the associated security algorithm 
is selected from one of a plurality of security algo- 
rithms for use with said included archive file; 

calculating a value for said included archive file according 
to said associated security algorithm; 

extracting a corresponding value from said signature; and 

determining said archive file as valid when said calculated 55 
value and said extracted corresponding value compare 
equal. 

6. The method of claim 5, wherein said extracting of a 
corresponding value comprises conferring with a certificate 
authority to obtain a certificate for verifying said signature. 
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7. A computer-readable medium containing instmctions 
for performing a method for caxising a computer system to 
validate a signed archive file comprising an included archive 
file, an associated security algorithm and a signature, said 
method comprising: 

extracting said included archive file, said associated secu- 
rity algorithm, and said signamre from said signed 
archive file, wherein the associated security algorithm 
is selected from one of a plurality of security algo- 
rithms for use with said included archive file; 

calculating a value for said included archive file according 
to said associated security algorithm; 

extracting a corresponding value from said signature; and 

determining said archive file as valid when said calculated 
value and said extracted corresponding value compare 
equal. 

8. A computer system comprising: 

a medium for data storage wherein is located a computer 
program for causing a computer system to validate a 
signed archive file comprising an included archive file, 
an associated security algorithm and a signature by 
extracting said included archive file, said associated 
security algorithm, and said signature from said 
signed archive file, wherein the associated security 
algorithm is selected from one of a plurality of 
security algorithms for use with said included 
archive file; 

calculating a value for said included archive file 
according to said associated security algorithm; 

extracting a corresponding value from said signature; 
and 

determining said archive file as valid when said calcu- 
lated value and said extracted corresponding value 
compare equal; and 
a CPU couple to said medium, for executing computer 

programs. 

9. A medium for data storage comprising: 

a first program for creating a first archive file; 
a second program for 

selecting one of a plurality of security algorithms for 

use with said first archive file; 
computing a signature for said first archive file accord- 
ing to said selected security algorithm; and 
creating a new archive file comprising said first archive 
file, said selected security algorithm and said signa- 
ture; and 

a CPU, coupled to said data storage medium, for execut- 
ing computer programs. 

10. A computer-implemented method for signing a first 
archive file, said method comprising: 

selecting one of a plurality of security algorithms for use 

with said first archive file; 
computing a signature for said first archive file according 

to said selected security algorithm; and 
creating a new archive file comprising said first archive 

file, said selected security algorithm, said signature, 

and a certificate. 

* 4> <^ <(< * 
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